You are here

How To Make Your Website A GDPR Compliant One

It is high time to make your website GDPR compliant, as the regulation is going to be effective from May 25th, 2018. If you would like to revisit our article on what GDPR is and how it can affect a site owner or developer, you can read our previous article here.

What do you have to do to comply with GDPR?

Now that you know what GDPR is and what it is about, here are the steps to follow to be compliant with GDPR.

Update your ‘Privacy Policy’ and ‘Terms and Conditions’

These pages are one of the key items to being GDPR compliant. The page should inform the user:

How you are using their personal data

With whom are you sharing their data

What cookies are used in your site and its purpose

Consent to email about order notification

Consents

Simply visiting a site is no longer considered as a consent. A user consent must be collected by means of an opt-in checkbox or choosing settings.

It is equally important that the users must be able to withdraw the consent easily. If the consents are asked via opt-in boxes in settings menu, user should be able to return to that menu and update his preferences.

Unless a user explicitly says that he would like to be included in the list, don’t add them. Silence is not considered as a consent.

Suppose a user gives his consent to process his personal data, it doesn’t mean that you can process data for a long period. The consent should be collected or renewed every 12 months from the time of the user’s first visit to the site.

A cron job can be set up for automatically sending emails to the users and to collect consent.

Cookies

Cookies are considered as ‘personal information’ therefore you have to disclose all of the cookies which are set by your site, why they are set and option to opt-out before they are set.

However, there are different types of cookies which can be exempted from the consent requirement. For example: Cookies used in a merchant website, Session ID cookies for the duration of session, authentication cookies etc. These are mentioned in the ‘Guidance on Cookie Consent and Expiration ‘ by French Data Protection Authority1.

Be it a third party or a custom cookie, which ever cookies you are using, you should make the information visible to the user in simple words. For eg: Say you are using Google Analytics , a sample privacy statement can be :

This website uses Google Analytics to help analyse how visitors use this site. No personally identifiable information is collected about you unless you explicitly submit that information on this website. The information collected is used to create reports of activities on this site. We use this to provide relevant content to our visitors.

Cookie Banner

Instead of using the old disclaimer ‘By browsing the site you accept cookies’, you have to be more clear on the cookie policy. The disclaimer should specify the exact purpose of the cookies and the fact that by continuing to browse the website, the user accepts the use of cookies. You can add the types of cookie that are used in the site. For instance: Necessary, Marketing, Analytics etc with checkboxes.

The cookie banner of 'The Marketing Eye'4 can be taken as a reference.

Also there should be a link to the ‘More information’ page which should display information on how to opt-out or refuse cookies.

Now what happens to the contents or orders of your site if you are to delete the entire user data?

The law does not further describe how data should be deleted. If you want to keep the data for audit purposes, you can either mention this in privacy policy or remove all the personal information of the user and the data of the fields can be replaced with pseudonyms.

If you are sending the personal data of users to any third parties like Salesforce or Hubspot, you are obliged to inform all the third parties to delete the personal information of the user via an API call or similar.

This again comes up with another issue - backups. You should separate the list of forgotten user IDs so that when a restore process occurs, you re-forget the forgotten users.

Right of Data Portability

User should be given an option to export all of his personal information.

The ‘Export Data’ button can be included in the user dashboard.

The exported data can be in the form of a CSV or spreadsheet.

If your website only stores the information like favourites, bookmarks etc then it is not mandatory to provide this feature, as this does not fall under personal information.

Age Checks

You should check your user's age and if the user is a child below 16, then the law states that the parental consent should be obtained. How to obtain this is not well defined, but an option will be to provide a field to accept email id of the parent and verification of the same.

Delete Data that are No Longer Needed

You should explicitly mention the amount of time that the user’s personal data will be stored in your site and delete the same after the time period.

If you are an e commerce site owner, then you should create a cron job to anonymise the order information, once the delivery is complete.

Technical and Security Measures

Audit logs should be kept and you should be careful about potential data misuses such as employee logins, unprotected servers and insecure connections.

You should ensure that the access permissions given to a user is correct and he is not authorized to access sensitive information.

As an additional note, we would like to highlight the part that you don’t have to include everything which is mentioned above unless you are processing personal data of EU citizens. To know more, get in touch with us